StealC Disrupted: Cleanup Steps

Vladimir Krasnogolovy
3 Min Read
StealC and Amadey Operation Endgame disruption warning with cleanup required checklist
StealC and Amadey disruption warning showing severed command-and-control lines and a cleanup-required checklist.

Update, June 24, 2026: Microsoft, Europol, ESET, and other partners disrupted infrastructure used by StealC and Amadey as part of Operation Endgame. The update does not mean every infected computer is clean. It means many command-and-control servers and domains were taken down, while anyone who ran a StealC payload should still treat browser passwords, session cookies, crypto wallets, and saved logins as exposed.

StealC is an infostealer sold as malware-as-a-service. It steals data from browsers, extensions, cryptocurrency wallets, messaging apps, email clients, and other desktop software. Amadey is commonly used as a loader: it gives attackers an initial foothold and can deliver stealers or other payloads. Together they form the kind of commodity malware chain that turns one infected Windows device into stolen credentials, sold access, and follow-on fraud.

What Changed in the June 24 Operation Endgame Disruption?

Microsoft said its Digital Crimes Unit worked with Europol and partners to take down, suspend, block, or notify providers about more than 200 malicious Amadey and StealC command-and-control domains and IP addresses. Europol said the wider action disrupted 326 servers and 142 domains, recovered about 27 million stolen login credentials, and restricted criminal crypto assets worth more than $47 million.

ESET, which assisted the operation, said the action affected roughly 50 domains and nearly 200 active IP-based C&C servers associated with Amadey and Stealc. Microsoft also reported that the two malware families were linked to more than 140,000 infected computers globally during the first two weeks of May 2026 alone.

Fact Why it matters
StealC steals browser, wallet, app, and session data. Password changes from the same infected device are not enough; stolen cookies and tokens may remain valid until sessions are revoked.
Amadey can act as a loader for StealC and other malware. A visible stealer detection may not be the only payload. Check persistence, startup entries, scheduled tasks, and follow-on malware.
Operation Endgame disrupted infrastructure, not every endpoint. A takedown can break attacker control, but local cleanup and account recovery are still user-side tasks.
StealC and Amadey attack flow showing loader, data theft, C2 disruption, and user cleanup steps
Operation Endgame can disrupt command-and-control infrastructure, but users still need to scan the device, revoke sessions, and reset passwords from a clean device.

How StealC Spread Before the Disruption

Sekoia first described Stealc in 2023 as a copycat-style infostealer influenced by Vidar, Raccoon, Mars, and RedLine. Its operators advertised it on forums and Telegram as a configurable stealer with an admin panel, and early samples targeted browsers, browser extensions, desktop wallets, and selected file types.

StealC infostealer advertisement shown in early threat research
Early StealC advertising showed how the malware was marketed to criminal buyers. Source: Sekoia research screenshot.

The original distribution paths included fake cracked-software and download lures. That pattern still matters: StealC and similar stealers often reach users through fake installers, malicious ads, video tutorials, archive files, fake updates, and social-engineering chains. Recent campaigns involving stealers have also used ClickFix-style prompts, malicious scripts, and loader services before the final payload appears.

Example download site used to distribute a StealC stealer payload
Example of a download site used in early StealC distribution research. Source: Sekoia research screenshot.

What to Do if StealC or Amadey May Have Run on Your PC

  1. Disconnect the device from sensitive accounts first. Do not log in to email, banking, crypto, work, or password-manager accounts from the suspected machine until it is cleaned.
  2. Remove the malware and check for persistence. Look for unknown startup entries, scheduled tasks, recently dropped files in Downloads/AppData/Temp, browser changes, and security-tool alerts that return after reboot.
  3. Clean before changing passwords. Change passwords from a separate trusted device. If you reset passwords from the infected PC, a stealer or loader may capture the new credentials too.
  4. Revoke sessions, not just passwords. Sign out of all sessions, revoke OAuth/connected apps, rotate API keys, reset crypto-wallet seed exposure assumptions, and check email forwarding rules.
  5. Watch for follow-on fraud. Stolen logs can fuel account takeover, payment fraud, fake support contacts, and ransomware access even after part of the malware network is disrupted.

If a suspicious installer, cracked app, fake update, or script already ran, a normal delete-and-reboot is not enough. Security tools may remove the visible payload while a loader, scheduled task, service, browser change, or another bundled component remains and restores access later. Run a full Gridinsoft Anti-Malware scan, remove detections, reboot, and scan again if alerts or browser/session symptoms return.

FAQ

Does the Operation Endgame disruption mean StealC is gone?

No. It disrupted a large part of the infrastructure used by StealC and Amadey, but malware operators can rebuild, switch servers, or use already stolen data. Treat it as good news, not as proof that affected devices are safe.

Should I change passwords if StealC was detected?

Yes, but change them from a clean device after the infected computer is isolated and scanned. Also revoke sessions and connected apps, because infostealers can steal cookies and tokens that survive a password change.

Is Amadey the same malware as StealC?

No. Amadey is primarily a loader/bot that can deliver additional malware. StealC is the infostealer that collects credentials, wallet data, browser information, and other sensitive files. They are dangerous together because the loader can install the stealer and other payloads.

References

  1. Sekoia.io. “Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity.” Sekoia Threat Research, February 2023, accessed June 24, 2026. https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
  2. Microsoft Security. “StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them.” Microsoft Security Blog, June 24, 2026, accessed June 24, 2026. https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/
  3. Europol. “Global cyber strike disrupts SocGholish, Amadey and StealC malware networks.” Europol Newsroom, June 24, 2026, accessed June 24, 2026. https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
  4. ESET Research. “ESET takes part in Operation Endgame to disrupt Amadey and Stealc.” WeLiveSecurity, June 24, 2026, accessed June 24, 2026. https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/
Share This Article
Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?